help got a trojan
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: help got a trojan

  1. #1
    Member
    Join Date
    Jul 2003
    Posts
    80

    help got a trojan

    I ran a virus test yestersay and my AV found 2 viruses located in C:\WINDOWS\BELT.EXE and the other located in C:\WINDOWS\TEMP\BELT.EXE. The details on the Av said it was a downloader trojan, Downloader.Stubby.A. I looked at in the temp files and saw it was a zipped file. Ran a search on it found a few more Belt files. Opened one with notepad and this was what i got:

    {
    o c1400760 14000 "C:\WINDOWS\BELT.EXE"
    R c1400760 0 40
    R c1400760 100 f8
    R c1400760 100 198
    R c1400760 13000 600
    r c1400760 e000 1000
    o c144eab0 8f000 "C:\WINDOWS\SYSTEM\WININET.DLL"
    R c144eab0 75400 1000
    o c1534ba0 5af10 "C:\WINDOWS\SYSTEM\CRYPT32.DLL"
    R c1534ba0 49600 1000
    R c1534ba0 4a600 1000
    o c1534490 47035 "C:\WINDOWS\SYSTEM\MSVCRT.DLL"
    R c1534490 3a000 1000
    R c1534490 3a000 1000
    R c1534490 34000 1000
    R c1534490 34000 1000
    R c1534490 3b000 600
    o c1599070 25000 "C:\WINDOWS\SYSTEM\MSOSS.DLL"
    R c1599070 20000 1000
    R c1599070 20000 1000
    R c1599070 1000 1000
    R c1599070 1000 1000
    R c1534490 36000 1000
    R c1534490 37000 1000
    R c1534490 39000 1000
    R c1534490 38000 1000
    o c1539140 53000 "C:\WINDOWS\SYSTEM\RPCRT4.DLL"
    R c1539140 4d000 c00
    R c1539140 4d000 1000
    R c1534ba0 49600 1000
    R c1534ba0 600 1000
    R c1534ba0 600 1000
    R c1599070 21000 600
    o c159a3e0 e3000 "C:\WINDOWS\SYSTEM\OLEAUT32.DLL"
    R c159a3e0 85000 1000
    R c159a3e0 86000 1000
    o c1536100 c1000 "C:\WINDOWS\SYSTEM\OLE32.DLL"
    R c1536100 a4000 1000
    R c1536100 a4000 1000
    R c1536100 1000 1000
    R c1536100 1000 1000
    R c1536100 a5000 e00
    R c159a3e0 87000 1000
    R c159a3e0 85000 1000
    R c159a3e0 2000 1000
    R c159a3e0 2000 1000
    R c1536100 4c000 1000
    R c1536100 4d000 1000
    R c1536100 4e000 1000
    o c1534360 60800 "C:\WINDOWS\SYSTEM\SHLWAPI.DLL"
    R c1534360 53400 1000
    R c1534360 54400 1000
    R c1534360 55400 1000
    R c1534360 56400 1000
    R c1534360 53400 1000
    R c1534360 400 1000
    R c1534360 400 1000
    R c144eab0 75400 1000
    R c144eab0 400 1000
    R c144eab0 400 1000
    R c144eab0 76400 1000
    R c1534ba0 4b600 1000
    R c1534ba0 4c600 1000
    R c144eab0 77400 800
    R c1534360 57400 1000
    R c1534360 58400 1000
    R c1534360 59400 200
    o c15b2940 64000 "C:\WINDOWS\SYSTEM\SETUPAPI.DLL"
    R c15b2940 3d000 1000
    R c15b2940 3e000 1000
    R c15b2940 3f000 1000
    o c15aecd0 153110 "C:\WINDOWS\SYSTEM\SHELL32.DLL"
    R c15aecd0 82600 1000
    R c15aecd0 82600 1000
    R c15aecd0 600 1000
    R c15aecd0 600 1000
    R c15aecd0 83600 1000
    R c15aecd0 84600 1000
    o c15329a0 2b000 "C:\WINDOWS\SYSTEM\COMDLG32.DLL"
    R c15329a0 1b000 1000
    R c15329a0 1c000 1000
    R c15329a0 1d000 600
    R c15329a0 1b000 1000
    R c15329a0 1000 1000
    R c15329a0 1000 1000
    R c15aecd0 80600 1000
    R c15aecd0 81600 1000
    o c159a570 5a00 "C:\WINDOWS\SYSTEM\WINSPOOL.DRV"
    R c159a570 4a00 600
    R c159a570 4a00 600
    o c159a5a0 b000 "C:\WINDOWS\SYSTEM\CFGMGR32.DLL"
    R c159a5a0 8000 400
    R c159a5a0 8000 1000
    o c15a0880 e000 "C:\WINDOWS\SYSTEM\MPR.DLL"
    R c15a0880 9000 800
    R c15a0880 9000 1000
    R c15b2940 3d000 1000
    R c15b2940 1000 1000
    R c15b2940 1000 1000
    R c15b2940 3e000 1000
    r c1400760 f000 1000
    R c144eab0 1400 1000
    R c1400760 e000 1000
    R c15b2940 40000 1000
    R c15b2940 42000 c00
    R c1534490 3c000 1000
    R c1534490 35000 1000
    R c1400760 0 1000
    R c1534490 42000 e00
    R c1534490 3d000 1000
    R c1599070 22000 800
    R c1599070 3000 1000
    R c1539140 4c000 800
    R c1534ba0 5600 1000
    R c1534ba0 2c600 1000
    R c1534ba0 4d600 1000
    R c1534ba0 22600 1000
    R c1534ba0 37600 1000
    R c1534ba0 3600 1000
    R c1534ba0 2e600 1000
    R c1534ba0 23600 1000
    R c1534ba0 f600 1000
    R c1534ba0 53600 1000
    R c1534ba0 6600 1000
    R c1534ba0 1b600 1000
    R c1534ba0 1600 1000
    R c1534ba0 19600 1000
    R c1534ba0 24600 1000
    R c1534ba0 2600 1000
    R c1534ba0 7600 1000
    R c1534ba0 11600 1000
    R c1534ba0 2a600 1000
    R c1534ba0 16600 1000
    R c1534ba0 3f600 1000
    R c1534ba0 12600 1000
    R c1534ba0 38600 1000
    R c1534ba0 3b600 1000
    R c1534ba0 39600 1000
    R c1534ba0 3a600 1000
    R c1534ba0 52600 1000
    R c1534ba0 1d600 1000
    R c1534ba0 2d600 1000
    R c1534ba0 50600 1000
    R c1534ba0 3e600 1000
    R c1534ba0 47600 1000
    R c1534ba0 1a600 1000
    R c1534ba0 51600 1000
    R c1536100 21000 1000
    R c1536100 22000 1000
    R c1536100 ae000 1000
    R c1536100 2a000 1000
    R c1536100 b3000 1000
    R c1536100 2b000 1000
    R c159a3e0 73000 1000
    R c159a3e0 8f000 1000
    R c159a3e0 10000 1000
    R c159a3e0 76000 1000
    R c159a3e0 7a000 1000
    R c159a3e0 8c000 1000
    R c159a3e0 8d000 1000
    R c159a3e0 8e000 1000
    R c159a3e0 75000 1000
    R c159a3e0 77000 1000
    R c159a3e0 8b000 1000
    R c159a3e0 78000 1000
    R c159a3e0 7b000 1000
    R c159a3e0 8a000 1000
    R c159a3e0 74000 1000
    R c159a3e0 39000 1000
    R c159a3e0 44000 1000
    R c159a3e0 d000 1000
    R c159a3e0 50000 1000
    R c159a3e0 5f000 1000
    R c159a3e0 18000 1000
    R c159a3e0 4e000 1000
    R c159a3e0 12000 1000
    R c159a3e0 52000 1000
    R c159a3e0 3d000 1000
    R c159a3e0 17000 1000
    R c159a3e0 13000 1000
    R c159a3e0 30000 1000
    R c1534360 1d400 1000
    R c1534360 59600 600
    R c1534360 4f400 1000
    R c1534360 22400 1000
    R c1534360 9400 1000
    R c1534360 48400 1000
    R c1534360 50400 1000
    R c1534360 1e400 1000
    R c1534360 3a400 1000
    R c144eab0 29400 1000
    R c144eab0 77c00 1000
    R c144eab0 1a400 1000
    R c144eab0 1b400 1000
    R c144eab0 78c00 1000
    R c144eab0 4400 1000
    R c144eab0 1c400 1000
    R c144eab0 2400 1000
    R c144eab0 16400 1000
    R c15aecd0 4600 1000
    R c15aecd0 1b600 1000
    R c15aecd0 85e00 a00
    R c15aecd0 1c600 1000
    R c15aecd0 9600 1000
    R c15aecd0 1600 1000
    R c15329a0 f000 1000
    R c15329a0 1e000 1000
    o c15a0450 30d0 "C:\WINDOWS\SYSBCKUP\VER.DLL"
    R c15a0450 2f5 100
    R c15a0450 2f5 100
    R c159a570 4200 800
    o c159e460 86380 "C:\WINDOWS\SYSTEM\USER.EXE"
    R c159e460 1844 225e
    R c15a0880 a000 400
    R c15b2940 33000 1000
    R c15b2940 46000 1000
    R c15b2940 35000 1000
    R c15b2940 36000 1000
    R c15b2940 43000 1000
    R c15b2940 44000 1000
    R c15b2940 45000 1000
    R c15b2940 34000 1000
    R c15b2940 37000 1000
    R c15b2940 38000 1000
    R c15b2940 5000 1000
    R c15b2940 18000 1000
    R c15b2940 15000 1000
    R c15b2940 17000 1000
    R c15b2940 6000 1000
    R c15b2940 2000 1000
    R c15b2940 7000 1000
    R c15b2940 1c000 1000
    R c15b2940 23000 1000
    R c15b2940 11000 1000
    R c15b2940 4000 1000
    r c1400760 5000 1000
    r c1400760 8000 1000
    r c1400760 4000 1000
    r c1400760 6000 1000
    r c1400760 9000 1000
    r c1400760 b000 1000
    R c1400760 12000 1000
    r c1400760 a000 1000
    r c1400760 c000 1000
    R c1400760 10000 1000
    r c1400760 7000 1000
    r c1400760 1000 1000
    r c1400760 2000 1000
    o c15af9f0 191 "C:\WINDOWS\BELT.INI"
    R c15af9f0 0 191
    C c15af9f0
    o c15c2e70 191 "C:\WINDOWS\BELT.INI"
    R c15c2e70 0 1000
    R c15c2e70 191 1000
    r c1400760 3000 1000
    r c1400760 d000 1000
    R c15b2940 24000 1000
    R c144eab0 1f400 1000
    R c144eab0 5400 1000
    R c144eab0 8400 1000
    R c1534360 3b400 1000
    R c1534360 21400 1000
    R c159a3e0 7e000 1000
    R c1536100 29000 1000
    R c1536100 19000 1000
    R c1536100 18000 1000
    R c1536100 a000 1000
    r c1539140 8000 1000
    C c15c2e70
    }
    I'm guessing this came from one of my brothers downloads. Plz reply.

    Thanks
    Hobbit
    http://www.AntiOnline.com/sig.php?imageid=442
    You need people of intelligence on this sort of quest...

  2. #2
    Banned
    Join Date
    Apr 2003
    Posts
    3,840
    This might help.

    http://forum.digitalspy.co.uk/board/...d74735eds.html

    try removing it with you AV, download sbybot, adaware, run a search in registry and delete all files realted to the virus you can find on your computer if you get an error by trying to delete the file look in the Task Manager if the process is running, if it is "End Process Tree" it and then remove the files.

    also try www.moosoft.com and try to downlaod this http://www.webattack.com/download/dlhijackthis.shtml

    also try this site. http://www.computing.net/security/ww...orum/7431.html

  3. #3
    Senior Member
    Join Date
    Jun 2002
    Posts
    311
    Try using hijackthis to close it - click

    And take a look at this -
    click

    Turn system restore off by going into control panel- administrative tools- services then click the standard tab at the bottom of the screen. than stop system restore service and double click it then disable hit ok. then go to your system C:\System Volume Information\ delete top down all the folders there. The last one you will not likely be able to delete. go to that directory called something like: '_restore{A22afafea-af4C84-afad-6aafawe46B610}' double click it and go to the last entry called RP something double click it and you will get a screen saying the virus is there. Run avg for that directory and let it heal it. Try to delete the dir if possible. next go up to the preceeding directory just above it and doubleclick it to see if avg alerts you if so do the same thing and continue up until avg does not alert you. to be safe you can reboot and go to safemode and to the C:\System Volume Information\ and delete anything in it. upon booting back into windows run avg completely again to be sure. then go back to control panel admin services - services and re-enable system restore service assuming you want the ability to restore using XP restore.
    Might want to get something like regprotect after you clean it.

    Belt.exe - Look what google found

  4. #4
    I got bugged with a "Trojan" alert too past few days, and neither my AVG virus scan nor my ad-aware could find it ....i now downloaded that "hijackthis", and i came up with quite a few things that shouldn't be on my PC ... lets hope that "trojan" was one of 'em

  5. #5
    okay now, that HijackThis didn't take care of it either, still got a message saying a Trojan horse downloader Dyfica.H was being detected, so i ran a search for the damn thing on google, and there i found a post in some forum saying that he got rid of it with the latest version of AVG, being 7 .... i went to get that, and YES, not only did it detect it, it also gave me the option to move it to "vault", or delete the file...which i did ofcourse, delete it that is....damn thing been bugging me long enough !

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Go to www.moosoft.com and download the trojan cleaner. This will take care of it.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    alright, so i just ran that cleaner of yours too horse13, and it didn't find it guess that means i finally DID get rid of it

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    If the moosoft tool didn't find it, then I'd say that you are cleaned of the horrible little devil.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9

  10. #10
    Member tsunami's Avatar
    Join Date
    Jul 2003
    Posts
    30
    Hey BD]Hobbit

    Troj/Stubby-A is indeed a trojan that attempts to download more files from the internet. I work for an AV company that shall remain sort of unnamed and during analysis we discovered that the site that the Trojan attempts to contact isnt actually there anymore, so the Trojan is pretty useless.
    As its a Trojan you can simply just delete the file either manually ensuring not to run the file at any time, or the better alternative would be to use an AV product to run a scan and delete/remove all infected files.

    If you still have the file i would really appreciate looking at it, so i can compare it to the other sample that i have looked at. If you have it send it to :

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides